The Gramm-Leach-Bliley Act

Top News

Victoria's Secret and Financial Privacy. Outside the Beltway, it is not well known that a Victoria's Secret catalog was responsible for a key aspect of the Gramm-Leach-Bliley Act. Read the story here. (Jan. 2005)

Introduction

Information that many would consider private--including bank balances and account numbers--is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.

The GLBA primarily sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives. Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise you of their policies on sharing of personal financial information. Third, they must give consumers the option to opt-out of some sharing of personal financial information.

History of the GLBA

The history of the GLBA has its roots in the separation of banks, brokerage companies, and insurance companies. As a result of the financial failures of the Great Depression, Congress in 1933 passed the Glass-Steagall Act prohibiting national and state banks from affiliating with securities companies. In 1956, Congress passed the Bank Holding Company Act that prohibited a bank from controlling a non-bank company. In 1982 Congress amended the Bank Holding Act to further forbid banks from conducting general insurance underwriting or agency activities. This changed, however, in 1999, when the GLBA repealed sections of these acts and allowed banks to engage in a wide range of financial services.

The privacy risks from such mergers were put onto the agenda by a series of international and domestic events. On the international front, in 1995, the EU passed the Data Protection Directive, which required that international data exchanges that used EU citizens' personal data be accorded the same level of protection that their home country would afford them. This meant that US companies would have to ensure that when they used EU citizens' personal data they provided the same level of protection these citizens were afforded within the EU. The EU was especially concerned with the US government's preference for self-regulatory approaches to privacy and the lack of federal privacy legislation. While the EU-US agreed to a Safe Harbor proposal, which allowed for companies to self-regulate under FTC oversight, financial services industries were not included in the original agreement.

In the United States, privacy was increasingly cited as being at risk. Public polls at the time indicated citizen privacy awareness and unhappiness with the banking industry's lack of concern for consumer privacy issues. These poll responses led to subsequent studies that indicated how much consumers were concerned with ineffectual bank privacy standards and the lack of consumer protections against unwanted information sharing.

These attitudes were further fueled by a series of high profile cases involving banks selling consumer information with adverse consequences for customers including marketing, credit fraud, and identity theft.

In November 1997, Charter Pacific Bank of Agoura Hills, California sold millions of credit card numbers to an adult website company, which then proceeded to bill customers for access to Internet porn sites and other services they did not request. Some of the customers billed did not even own a computer. The website company had set up numerous merchant accounts under different names to avoid detection. In September 2000, the FTC announced that it has won a $37.5 million judgment against the website company. While the bank maintained that it did not do anything wrong, it has since then stopped selling credit card numbers to merchants.

In 1998, NationsBank (later merged with Bank of America) was fined millions for securities law violations because it shared customer information with its affiliate subsidiary Nations Securities. The subsidiary then convinced low risk customers to buy high-risk investments. Many NationsBank customers lost large amounts and many senior citizens lost large amounts of their life savings.

In June 1999, the Minnesota Attorney General initiated a lawsuit against U.S. Bankcorp for sharing customer information with third party marketers in violation of its own policies without customer knowledge or authorization. The telemarketers then illicitly charged those customers. US Bankcorp eventually settled that case, along with those brought by 39 other state attorneys general. In April 2000, Minnesota settled with the third party telemarketer, Memberworks, that US Bankcorp used. According to Memberworks' SEC filings, 19 out of the 25 largest banks in the US had contracts with it. Other prominent banks, including Chase Manhattan and Citibank, have been involved in schemes where personal account information is sold to telemarketers.

This confluence of international and domestic events prompted Congress to include Title V in its GLBA provisions, which contains limited privacy protections for financial information. The GLBA was introduced in the Senate by Senator Phil Gramm (R-TX) as 106 S. 900 and in the House of Representatives by Representative James Leach (R-IA) as 106 H.R. 10. It was signed by President Clinton and became Public Law 106-102 (113 Stat. 1338) on November 11, 1999. The privacy protections are codified at 15 USC § 6801-6810.

Privacy Protections Under the GLBA

The GLBA's privacy protections only regulate financial institutions--businesses that are engaged in banking, insuring, stocks and bonds, financial advice, and investing.

First, these financial institutions, whether they wish to disclose your personal information or not, must develop precautions to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Second, financial institutions are required to provide you with a notice of their information sharing policies when you first become a customer, and annually thereafter. That notice must inform the consumer of the financial institutions' policies on: disclosing nonpublic personal information (NPI) to affiliates and nonaffiliated third parties, disclosing NPI after the customer relationship is terminated, and protecting NPI. "Nonpublic personal information" means all information on applications to obtain financial services (credit card or loan applications), account histories (bank or credit card) and the fact that an individual is or was a customer. This interpretation of NPI makes names, addresses, telephone numbers, Social Security Numbers and other data subject to the GLBA's data sharing restrictions.

Third, the GLBA gives consumers the right to opt-out from a limited amount of NPI sharing. Specifically, a consumer can direct the financial institution to not share information with unaffiliated companies.

Consumers have no right under the GLBA to stop sharing of NPI among affiliates. An affiliate is any company that controls, is controlled by, or is under common control with another company. The individual consumer has absolutely no control over this kind of "corporate family" trading of personal information.

There are several exemptions under the GLBA that can permit information sharing over the consumer's objection. For instance, if a financial institution wishes to engage the services of a separate company, they can transfer personal information to that company by arguing that the information is necessary to the services that the company will perform. A financial institution can transfer information to a marketing or sales company to sell new products (different stocks) or jointly offered products (co-sponsored credit cards). Once this unaffiliated third party has your personal information, they can share it with their own "corporate family." However, they themselves cannot likewise transfer the information to further companies through this exemption.

In addition, financial institutions can disclose your information to credit reporting agencies, financial regulatory agencies, as part of the sale of a business, to comply with any other laws or regulations, or as necessary for a transaction requested by the consumer.

Fourth, financial institutions are prohibited from disclosing, other than to a consumer reporting agency, access codes or account numbers to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail. Thus, even if a consumer fails to "opt-out" of a financial institutions' transfers, your credit card numbers, pins or other access codes cannot be sold, as they had been in some previous cases.

Fifth, certain types of "pretexting" were prohibited by the GLBA. Pretexting is the practice of collecting personal information under false pretenses. Pretexters pose as authority figures (law enforcement agents, social workers, potential employers, etc.) and manufacture seductive stories (that the victim is about to receive a sweepstakes award or insurance payment) in order to elicit personal information about the victim. The GLBA prohibits the use of false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution; the use of forged, counterfeit, lost or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution; and asking another person to get someone else's customer information using false, fictitious, or fraudulent documents or forged, counterfeit, lost or stolen documents.

However, investigators still can call friends, relatives, or entities not covered by the GLBA under false pretenses in order to gain information on the victim.

Problems with the GLBA

First, the GLBA does not protect consumers. It unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect their data, GLBA weakens customer power to control their financial information. The agreement's opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to by their customers and if customers neglect to respond, it gives institutions that freedom to disclose customer nonpublic personal information.

Second, the GLBA notices are confusing and limit the transparency of information practices. GLBA assumes a company will explain a complex set of legal definitions added to numerous exceptions to the law in a way that will allow for an informed choice and in transparent language. There are reservations about a company's desire to do this.

Moreover, according to recent studies, most privacy and opt-out policies are usually convoluted, confusing, and misleading since they are created by entities whose interests are better served when there is no effective notice. GLBA does little to deal with the lack of transparency in the privacy notices themselves. Typical privacy notices do not include any specific information about how the data is actually used. GLBA notices do inform consumers that their personal information will be shared, but they generally do not inform the individual of who will receive the information or the purposes for which it will be used.

Third, the GLBA fails to enhance consumers' control over affiliate information sharing. Consumers have no opt-out right against affiliate information sharing. In today's world of mega-mergers, a bank may have over one thousand affiliates, some of which may be completely unrelated to financial services.

Fourth, financial institutions can evade opt-out requirements by exploiting the exceptions in the GLBA. The service provider/joint marketing exemption allows financial institutions to share information with non-affiliated third parties despite a consumer's opt-out.

Fifth, the GLBA has weak enforcement and compensation mechanisms. GLBA's enforcement mechanisms are inadequate to assure compliance with even existing weak privacy protections. Enforcement rests solely with federal government agencies, leaving the individual no private right of action.

How the GLBA Could Be Improved

Privacy advocates and industry groups have asked for some substantial changes to the GLBA to ensure greater protection and consumer security. Some of these changes include:

Financial institutions should implement an opt-in approach to the use of personal information because this minimizes any unwanted or unknowing disclosure of information and places the burden of responsibility on those actors who will gain from the disclosure of information.

If an opt-out framework is maintained, financial institutions should be obligated to give and accept alternative opt-out methods. They should be required to provide simple opt-out processes including easy access to privacy policies at branch offices and online through a single web site with opt-out information,

In order to ensure greater transparency and accountability, financial institutions should include in their privacy reports what information is going to be used for. Financial institutions should be required to provide customers with a statutory right of access to learn more about industry practices in order to know how the information is collected, who its affiliates are, and what the information collected for is used.

Financial institutions should provide simply stated and clear privacy policies. Financial institutions should be required to follow acceptable standards for readability by displaying clearer and more transparent privacy reports.

Expand enforcement authority to give states concurrent jurisdiction to enforce the provisions of GLBA in order to ensure a more efficient enforcement program.

Individuals should have the right to protect their privacy and seek remedies and redress under GLBA. As GLBA currently stands, there is no private right of action.

Give individuals the right to review information that is disclosed or to correct inaccurate or incomplete data.

State Law and the GLBA

As with most consumer protection legislation, the GLBA allows states to formulate protections that exceed federal law. The state law debate over GLBA privacy protections has primarily revolved around the question of whether to adopt an opt-in standard for information sharing, and whether to create protections for affiliate information sharing.

In California: Governor Gray Davis' focus upon privacy during his campaign has made California a place to watch. A broad-based coalition that includes the Consumers Union, the American Association of Retired Persons, the American Civil Liberties Union and other groups will launch an attempt to place the consumer financial privacy issue on the November 2002 ballot. The initiative, interestingly, is to be funded by an Internet executive. Chris Larsen, the CEO of E-Loan, felt strongly enough that consumer privacy fears were a major impediment to his business that he donated $1 million to fund the initiative.

In North Dakota: Shortly after the passage of the GLBA, North Dakota passed emergency legislation to eliminate opt-in protections in the state. Members of the State's Constitution Party strongly objected to this, and collected the 15,000 signatures necessary to get the issue placed on the ballot for statewide review. A group called "Protect Our Privacy" formed, and with the help of the American Civil Liberties Union (ACLU), they raised about $27,000 to campaign for opt-in support. An opposition group, driven mainly by bankers and financial interests, raised well over $100,000 to oppose opt-in. Much of that money was spent on misleading ads, including one that claimed ATMs would no longer work in the State if opt-in was adopted. This caused such controversy that the State Attorney General issued an opinion specifically rebutting this claim.

The referendum provided the first opportunity for voters to express their opinion on opt-in. And, consistent with the strong support for opt-in demonstrated in public opinion polls, the voters overwhelmingly rejected opt-out. 73% supported reestablishing the opt-in standard. North Dakota's action is likely to spark voter initiatives for opt-in in other states. Advocates in North Dakota also plan to expand opt-in next year by applying the standard to the insurance industry.

In Vermont: The State's Department of Banking, Insurance, Securities, and Health Care Administration adopted opt-in provisions for information sharing. To comply with the regulation, some companies have simply treated all Vermont residents as having opted-out under GLBA. However, a group of insurance companies has mounted a challenge to the requirements.

In other states: Alaska (Alaska Stat. § 06.05.175), Connecticut (Conn. Gen. Stat. Ann § 36a-42), Illinois (205 Ill. Comp. Stat. Ann. 5/48.1), and Maryland (Md. Code Ann. § 1-301) require some form of opt-in consent before financial information can be shared. Additionally, because efforts to obtain opt-in in California failed in 2001 and 2002, communities in that state have adopted opt-in ordinances. In 2002, both San Mateo County and Daly City adopted opt-in financial privacy ordinances. Bank of America and Wells Fargo Bank have brought suit to invalidate them.

On July 26, 2001, EPIC along with Public Citizen and other organizations submitted a petition to the GLBA entities with their concerns regarding financial notices. In this petition, they requested an amendment to the regulations implementing GLBA to ensure the consumers are provided with better notice and more convenient means of exercising their right to opt out of information sharing.

EPIC argued that the notices mailed out, thus far, by financial institutions employed dense, misleading statements, and confusing and cumbersome procedures to prevent consumers from opting out. Their arguments were that the GLBA could not protect privacy unless the Agencies required readable notices and reasonable opt-out opportunities. They believe that the existing scheme placed much of the burden of privacy protection on consumers and that recent privacy notices show that the regulations under GLBA are failing to protect consumer privacy. By providing obfuscated information and opt-out schemes, couched in legalistic and confusing terms, with misleading options and providing limited alternative options, such as 24 hour toll free numbers, financial institutions sought to deprive consumers of the their right to prevent these institutions from sharing private information. Moreover, most privacy notices lack adequate definitions of important terms and phrases and requires thus the effort of the Agencies to amend existing GLBA regulations to ensure that consumers have meaningful opportunities to exercise their rights. These regulations should require financial institutions provide standardized notice that consumers can understand and opt-out mechanism that consumers can use conveniently.

The petition also includes specific recommendations regarding notices and opt-out mechanisms including examples of clear statements and formats, the option to send an e-mail or use a web page and a detachable, pre-addressed postcard with boxes in which to check off preferences. With these changes, the petitioners believe that consumers can exercise their right more effectively with notices that are readable and understandable and with opt-out mechanisms that are easy to use.

What You Can Do to Protect Your Privacy

Be sure to opt-out of information sharing from all of your financial, brokerage, and insurance companies. Privacy Rights Now, a website operated by Ralph Nader and Remar Sutton, has detailed opt-out information, including sample letters to send to financial institutions.

Wherever possible, minimize the amount of personal data given to commercial or governmental entities. Do not release contact information where it is unnecessary. Do not give out your Social Security Number unless it is related for tax purposes, such as employment or opening a bank account.

Don't give out personal information on the phone, mail or through the Internet unless you have initiated the contact or know whom you are dealing with. Pretexters may pose as representatives of survey firms, banks, Internet service providers and even government agencies to get you to reveal your SSN, mother's maiden name, financial account numbers and other identifying information. Legitimate organizations with which you do business have the information they need and will not ask you for it.

Pay attention to your statement cycles and follow up with your financial institutions if your statements do not arrive on time.

Be mindful about where you leave personal information in your home, especially if you have roommates or are having work done in your home by others.

Add passwords to your credit card, bank and phone accounts.

Your credit report contains information on where you work and live, the credit accounts that have been opened in your name, how you pay your bills and whether you've been sued, arrested or have filed for bankruptcy. Checking your report periodically can help you catch mistakes and fraud before they wreak havoc on your personal finances.

Opt-out from the Credit Reporting Agencies (CRAs) pre-approved credit card offers. By calling 1-888-5OPTOUT (1-888-567-8688), you can stop most pre-approved credit card offers. However, you cannot opt-out from the sale of credit headers. Be sure to specify that you wish to be permanently removed from pre-approved credit card offers, otherwise you will be placed back on the recipient list in two years. To permanently opt-out, you will have to fill out a form that the CRA will mail to you.

Be aware of the price of marketing schemes, while they may convince you that conceding control of your personal data will bring offers of better products and services, for most people this does not translate into opportunity, but into more unwanted telemarketing calls, more junk mail, and more opportunities for sensitive information to make its way into the databases of online data brokers available to identity thieves, fraudulent credit repair services, charities, investments and other schemes.

Court Upholds Vermont Opt-In Insurance Privacy Law. A Vermont Superior Court has upheld (pdf) a state law that requires insurance companies to obtain opt-in consent before disclosing their customers' personal information to third parties. Vermont's opt-in standard is stronger than federal protections for privacy, and designed to address the problem presented by "financial companies as high volume traffickers of consumers' intimate, personal information…" For more information, see the affidavits of Richard Bower (on opt-in versus opt-out), William Lutz (on the readability of privacy notices), and the memorandum of the Vermont Attorney General supporting the opt-in law. (Feb. 18, 2004)

EPIC, PIRG Comment on Security Notices. In comments to the Department of the Treasury, EPIC and the U.S. Public Interest Research Group urged the agency to strengthen a proposed guidance on security notices to bank customers. The proposed guidelines specify when a financial institution must give notice to a customer when their personal information has been accessed without authorization. The comments urge the agency to expand the definition of "sensitive consumer information," and to require financial institutions to report statistical information on all security events to federal regulators. For more information, see the EPIC Gramm-Leach-Bliley Act Page. (Oct. 14, 2003)

Privacy Groups Urge the Senate to Strengthen Financial Privacy Law. EPIC has joined the testimony (PDF) of U.S. PIRG before the Senate Committee on Banking, Housing, and Urban Affairs in an oversight hearing on Financial Privacy and the Gramm-Leach-Bliley Act (GLBA). The testimony focuses on the failure of the GLBA to promote financial privacy, and on the rights of states to pass legislation that exceeds federal protections. For more information, see the EPIC GLBA Page. (Sept. 19, 2002)

FTC Prevails in Privacy Case Against Trans Union. The U.S. Court of Appeals for the District of Columbia Circuit has rejected free speech challenges by Trans Union to privacy regulations drafted by federal agencies pursuant to the Gramm-Leach-Bliley Act (GLBA). The decision will limit credit bureaus from using personal information for marketing. For more information, see the EPIC Profiling Page. (July 17, 2002)

EPIC, Consumer Groups, State AGs Argue for Stronger Privacy Safeguards for Financial Records. EPIC, Privacy Rights Clearinghouse, U.S. PIRG and Consumers Union submitted comments (PDF) on May 1 for a U.S. Treasury Department study on the effectiveness of Gramm-Leach-Bliley Act financial privacy protections. The study is required by law to shed light on the information sharing practices of the financial services industry. The comments describe flaws in the implementation of the GLB Act and demonstrate the benefits for consumers if an "opt-in" approach is adopted for financial information sharing. 37 state Attorneys General also filed comments for the study, stating that "current law does not adequately protect consumers' privacy" and poses a significant risk to consumers. (May 3, 2002)

Groups Petition Agencies to Improve Financial Privacy. EPIC has joined Public Citizen and other organizations in petitioning federal agencies to improve notice and opt-out mechanisms under the Gramm-Leach-Bliley Act (GLBA). The petition (PDF) urges the agencies to adopt requirements of clear, concise language for GLBA privacy notices and to require more effective measures to allow consumers to opt-out from financial information sharing. (July 2001)

Report: Opt-Out Notices Are Difficult to Understand. The Privacy Rights Clearinghouse has published a report showing that most opt-out notices required by the Gramm-Leach-Bliley Act are written at a second-year college level. Federal law requires that these notices must be written in "plain language." The notices explain how financial institutions collect, share, and use personal information and how individuals can opt-out from certain types of information use. (April 2001)

Proposed Financial Privacy Regulations Released. The Treasury Department, Federal Reserve, Federal Deposit Insurance Corporation, and Office of Thrift Supervision issued a joint notice of proposed rule-making on February 3. The rules (160K PDF) will govern how financial institutions may pass on customer information to affiliated and third parties. On February 24, the Federal Trade Commission released its own notice and rules (120K PDF) for financial institutions within its jurisdiction. Comments on both sets of proposed rules are due by March 31. (Feb. 2000)

Protecting our Privacy (POP). POP is a non-profit, non-partisan, organization formed by private citizens in North Dakota to repeal law SB 2191, which allows banks and financial institutions to release records customer permission. It was successful in campaigning for an opt-out scheme with the support of 73% of population.

Cases

Trans Union v. FTC, No. 00-1141 (D.C. Cir. 2001), cert. denied, 536 U. S. ____ (2002) . In Trans Union, the Court of Appeals for the District of Columbia Circuit held that tradelines (credit information that includes name, address, date of birth, telephone number, Social Security number, account type, opening date of account, credit limit, account status, and payment history) could not be sold for marketing purposes because they constituted a credit report for purposes of the Fair Credit Reporting Act (FCRA). Further, the Court rejected the profiler's claim that the First and Fifth Amendments invalidated the FCRA.

IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C. 2001)(PDF 1.9 MB). In Individual Reference Services Group v. FTC, a trade association representing credit reporting agencies and their customers unsuccessfully sued to overturn GLBA regulations. The credit reporting agencies sell products, which use non-public personal information. For example, Trans Union sells products such as "Trace," which allows the user to input an individual's social security number and receive, in return, the name and address of that person; "Retrace," which enables the user who has an individual's name and address to obtain that person's social security and phone numbers; and "ID Search," which permits a customer with a person's name and phone number to obtain that individual's social security number and current and former addresses; and other products which sell the above information along with account information. This decision was affirmed in Trans Union v. FTC, No. 01-5202 (D.C. Cir. 2002).